A laptop containing medical records for more than 5,000 people has been lost by a hospital near Dudley.
The latest data giveway occurred on 8 January. The laptop was taken from an outpatients department at Russells Hall Hospital.
West Midlands Police is investigating the theft and several thousand people have received warning …

Wow I'm amazed

Any suprises?

Maybe government departments should start reporting non loss of data, say along the lines of:

NEWS!

Minister takes unencrypted, unpassworded laptop home, leaves it in his unlocked car for the weekend with a sticker on the windscreen saying personal details of 10 million people on this pc on the seat and then returned to work with all the data intact on Monday morning.

Security has to begin with the physical security of devices, don't the NHS realise that the people who use them cannot afford to go private and as such the sight of an unsecure, unattended laptop lying around is just too much temptation.

Oh, that's just *so* secure...

"The database is password/login protected and a separate trust login and password is required to operate the laptop." - So windows password to logon and that's it? Seriously - do these people have any understanding of what "Secure" actually means?

Dudley dunce dumps doctors' data.

What I'd really like to know is why; given the money currently being spent (wasted?) on further designing and re-implimenting a national database of patient records; a central store of personal details; a repository of useful information with a secure (debatable - I know) system of access... WHY oh why does the information keep finding itself on laptops that are about to be stolen? Carrying paperwork in a discrete brown bag would be a more effective method of data protection. Here's another clue - don't let staff take laptops home with them. If they cannot get their job done at work - then they are trying to do the job of two people.

Better than Gov't security??

OK, so all they need to do to get into the data is take the drive out of the laptop, connect it to another machine, copy the database off then run a brute force password attack on it (or some other method).

Latest?

Privacy?

Forget CCTVs, forget Vehicle Tracking, forget number plate recognition, forget gait recognition, forget facial recognition, forget data retention and forget mobile phone logging. All of the above takes way to long, we have over half of the population exposed to ID theft purely from the government "losing" it.

Who needs all the big brother tactics when the government will just give it away. Hell why not just expose the other half of the population and be done with it, at least then everyone will be on an even playing field.

37M people's data "lost" in the last what 18 months? Outstanding job, they couldn't have done better if they had -tried- to give the data away, too much red tape and all that crap.

Revolution anyone?

Paris because the government has now officially fucked more people than she has.

@ world + dog

The point isn't whether the data is encrypted, password protected or whatever, it's that anyone downloading or extracting medical records to a laptop, memory stick or some such should be escorted to their desk by a security bod bearing a bin bag, having been told to pack up and fuck off. While we're at it, how about bringing back dumb terminals?

Phew, don't panic...

It's Windows, it's password protected :/....let's just hope they are out for the hardware and not the data eh... Never mind a few piddly med records - soon ALL our data will be in the hands of whichever employee of whichever dubious government/corporate organisation that wants it, anywhere around the world (oh yes, not Just Europe, check the SHAM that is NIS), in a few clicks. "All of your data are belong to THEM"...and like THAT, we were all OWNED.

You can lead a horse to water.

"I'm a doctor and I want my sausages".

This'll be some doctor who's been "clever" and "knows more than his IT department" and has "solved" the problem of not having access to this database all the time by creating an Access DB, hitting the "import data" button and, well you can guess the rest.

The "real" database will be Oracle, MySQL or SQL Server, or hosted by a clinical supplier somewhere in Birmingham in a data warehouse. The problem will be (and always is) the chair-keyboard interface. Even if you only give 'em a web interface so there's no data source for them to misuse the buggers will cut and paste it "because I need it to screw up^h^h^h^h^h^h^h^h do my job"

Paris because in one way she's a dream user. Too thick to copy secure data to anywhere it shouldn't be.

It'll get worse

until people realise that when their IT department tells them that something is a bleedin' stupid idea, whether it be carrying around confidential data on laptops, sticking their passwords on post-its, sharing usernames and passwords around like biscuits and every other brain dead thing that they do, it actually *is* a bleedin' stupid idea, and they shouldn't do it. But no. They'll trust some spotty kid to solve their IT problems, but the professionals in their IT departments know nothing.

To nickj

Noooooo! People keep saying "anyone downloading to USB sticks should be shot" or "anyone taking a laptop outside should be hanged". That's NOT your call to make. There are perfectly acceptable reasons for certain users to move data around on sticks and laptops - and there are perfectly good solutions to manage the risk in doing so.

The problem isn't necessarily people moving data around - although it could be, we don't know what their jobs entail - but that the risks have not been properly assessed and suitable solutions put in place to mitigate them.

I carry a USB stick between home and work every day full of sensitive data which I work on at home and in work. Both machines and the USB stick are encrypted transparently and require a key to be present on the machine. For me it "just works". For anyone else the stick is unreadable and has no valid filesystem installed.

Other risk assessments include malware, espionage, kidnap and torture - you go as deep as needed until the total cost of mitigating the risk outweighs the total cost of the risk itself. The above works fine for me - no shootings or hangings required.

Work at home?

I keep seeing the lame excuse "I needed that data so I could work at home."

And what, pray tell, is the difficulty with doing your job during normal working hours at your normal place of work? *Especially* when the data is so sensitive? One suspects that it's just an ego-stroking exercise: look at me, how important I am, *I* have to use this laptop full of Important Data while I travel." To use a charming old Briticism, bollocks.

Color me "not convinced."

At least some of this carting data by hand around the landscape must be intended only to justify a seat in first class "so they can work in peace and quiet."

An anonymous coward wrote "Doctors and such are often working at sites where they don't have access to the main NHS network."

What sites are these where they don't have network access? And what kind of work is it that requires so much data that it can't be transferred via a good old-fashioned PPP dialup, available anywhere there is a phone line. For that matter, you could do PPP over a cell phone, no? [Excuse me if my technology is out of date, but I'm retired and no longer fret over details. The rest of you can just suffer.]

If the volume of data is too great for dialup to handle, then that doctor (or such) is doing too much work in the wrong place—precisely the same issue all over again.

PS: and what are these "and such" folks who are categorized with doctors?

It smells like a lot of ego-masturbation going on, the laptop full of Important Data being the new status symbol, never mind the potential consequences of forgetfulness, stupidity, or sheer bad luck.

"Wonder why they ever called them NHS Trusts."

Obviously

"HMRC twice lost 25 million records relating to child benefits, the DVLA lost 6,000 records for vehicle owners, and the MoD misplaced a laptop containing details of 600,000 applicants to the armed services."

And you wonder why the Russians have canceled their spying budget for the UK ??

What take the data off site?

Dunno about this case, but we certainly have occasions when the data is COLLECTED off site - outreach clinics etc. so I can see a reason for laptops with personal data. I don't ever put clinical information on my laptop, and the colleagues who do have PGP-style encryption on the drives (not sure how that works in terms of hardware/software, but the Trust IT people are sufficently convinced to actually spend money on it, which given out overspend is a pretty conviincing argument to me).

But the hard part is getting users to appreciate that "security" isn't an on/off thing. They all think "password protected" = secure. Don't these guys EVER go to the cinema? I mean, if Tom Cruise can do it, how hard can it be?

Do they know the data isnt protected?

How many Joe Nobodys in any organisation care about the data on their machines, and indeed laptops. "If it gets stolen, I'll get a new one and a wrap on the wrist". How many heads have rolled? IT departments believe they have policies in place, but how are these communicated to the staff who have the data on laptops?

Mobile data is inevitable for the foreseeable future, more and more people are working wherever they are. Securing all this data is impossible unless you have a full disk encryption tool. Users need educating and even penalised when they loose a laptop or any device which contains date. During this process, something is needed to ensure any organisation in this position is 100% certain the data has been removed and not been accessed. There are tools on the market, one we have been looking at is Backstopp (www.backstopp.com).

We are taking the approach of while our data is mobile we will protect it anyway we can. If it falls into the wrong hands, we can ensure that we know they cant access it. All this while working to ensure data never leaves the servers, going back to the old centralised computing model.

RE: Laptops not safe

Bollocks indeed

Wow, all these people who've never thought that you might need to work somewhere else. Particularly people who can't imagine why someone might want to work from home - dudes, where have you been for the last 20 years?

In the specific case of healthcare workers, consider consultants. Many consultants have a private surgery somewhere and come into the hospital a few times a week. That means they need the information about their patients in two places - or maybe three if they plan on researching the case at home - and no, they might not have NHS network access at their surgery or at their home. Is their primary concern going to be data security? I doubt it - their primary concern will be making sure that their patients survive.

Or better, consider what happens when the network goes down. Do you truly think you can guarantee no network outages, ever? The rest of us know that networks can and do go down. For us, a network outage might just mean 10 minutes without web access, or inability to do some coding. For a doctor, it means they don't know what blood type their patient is, what their allergies are or when they last had a shot of opiate-based painkiller. Get these wrong and your patient is 200lbs of dead meat on a stretcher.

The "and such" people classified with doctors would be surgeons (call a surgeon "Doctor" and watch the reaction), nurses and anaesthetists as a minimum for professional care. It might also include admin staff who need to order enough rare blood groups for the next week's surgery cases, for example.

Most of the people commenting here are seeing IT as an end in itself, and failure to follow what they think of as "best practise" as a sign of stupidity. For the rest of us, IT are merely servants whose work enables us to do our jobs more efficiently. If their "best practise" will impede us doing our jobs then we need to check whether we need to do it that way - so if the result of IT's grand plans would be that people die, as in this example, then IT can go screw themselves. It doesn't mean completely ignoring data security - remember that the laptop and the database need passwords, and one would hope the database password includes encryption since this is trivial - but it does mean choosing how much is worth having.